How to configure Automatic Updates On Debian Wheezy

This tutorial shows how to configure a Debian Wheezy system to have package updates installed automatically without user interaction. In addition to that I will show you what needs to be done to have the system email you about available updates on a daily basis.

1 Configure The System For Unattended Upgrades

To make the system install upgrades automatically, we need to install the package unattended-upgrades. It is also good to have the /usr/bin/mail command on the system in case you want to configure the unattended-upgrades package to send email notifications, therefore we install the package bsd-mailx as well:

apt-get install unattended-upgrades bsd-mailx

You can configure the unattended-upgrades package by modifying the file /etc/apt/apt.conf.d/50unattended-upgrades:

vi /etc/apt/apt.conf.d/50unattended-upgrades

Normally the default configuration should be ok; if you want to change anything, please read the comments in the file which make the configuration self-explaining. For example, you can specify the upgrade origins (default: stable and security), you can blacklist packages that should not be updated, you can have the system email you if there are problems, you can have the system remove unused dependencies after an update, or you can make the system do an automatic reboot if this is needed after an update. Please note: The double slashes // serve as a comment; anything that follows a comment in the same line will not be evaluated.

// Automatically upgrade packages from these origin patterns
Unattended-Upgrade::Origins-Pattern {
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
"origin=Debian,archive=stable,label=Debian-Security";
};
// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "[email protected]"
//Unattended-Upgrade::Mail "root";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

Next create the file /etc/apt/apt.conf.d/02periodic to enable unattended upgrades (again, the file is self-explaining because of the comments):